Thailand’s National Broadcasting and Telecommunications Commission (NBTC) cleared the country’s largest mobile operator AIS in a data privacy leak after determining it wasn’t involved in the release of subscriber call and location records.

NBTC secretary-general Takorn Tantaisith said the panel found that an AIS employee was responsible for taking the customer data, the Bangkok Post said.

A month ago the regulator set up a panel to investigate how an AIS employee breached internal data policies and procedures to steal the data. AIS dismissed the executive after finding he had sold client phone recorders for two to three years and has taken legal action against the employee. The operator later found that the employee stole data records from up to 100 customers.

If AIS was found to have been involved in the leak, it could face harsh penalties, including prison sentences of up to two years for executives or even have its operating licence revoked, in accordance with the Telecom Business Act.

AIS conducted it own investigation and said it has taken steps to improve its information security protection measures. The operator has put in place a double password system and a closed work environment, including restricted areas for mobile phones and USB thumb drives, the Post said.